2008/1/17, Andrew Farris <lordmorgul gmail com>:
> SELinux *should* be in every official Fedora spin, especially those to be used
> on networked computer systems. But it should also be possible to turn it off
> and/or uninstall it, and be possible to build custom packages for embedded
> processing applications without it... but if I want an embedded linux with
> selinux enabled why shouldn't it be there available?
I am sure that you are aware of this, but it is currently _very_ easy
to disable SELinux during install. The problem is how to communicate
clearly to the user when, why, and if SELinux should be disabled.
Given the complexity of a system like SELinux, it is very difficult to
explain to non-technical users what SELinux actually does. The current
dialog in firstboot makes no attempt to explain this is a
non-technical way, which makes it very hard for new users to decide
whether or not this is something they want. Perhaps both the firewall
and SELinux page should ask whether or not the user is aware of what
these settings actually do before they are forced to make a choice?
Personally I haven't had any trouble with SELinux as long as I stick
to software that is part of Fedora, but the problem arises as soon as
somebody tries to install proprietary (shivers) software such as
Matlab. I am well aware of that supporting non-free software is not on
Fedoras agenda, but this is a real-world example of where SELinux
makes ordinary users unhappy. I try to convince my Matlab-using
friends and colleges that numpy and scipy are superior alternatives,
but it is hard save the world all by yourself.
So what is my conclusion? Well, given how easy it is for the user to
disable SELinux during install if he or she does not want to use it
for one reason or another, I see no reason to disable it by default.
SELinux is an important technology that protects the computer from
threats both from the inside (buggy sw) and from the outside. If
Fedora cannot provide policies for SELinux that work in a real-world
environment, then that is a bug and should be fixed; problems do not
go away by ignoring them.
Regards,
--
Trond Danielsen